How can I verify that login attempts are being logged?

Latest response

For compliance purposes, I need to ensure that successful and failed logins are being logged. I know Red Hat Linux logs all logins by default. Where is that logging configured? How can I prove to an auditor that login logging hasn't been disabled? I'm using Red Hat Enterprise Linux 7.

A little more information: most users log in via SSH. Administrators have console access. We use Centrify to connect our systems to Active Directory.

Responses

Hi Jonathan,

I do not know Centrify

The first place I would look is /var/log/secure.

Regards,

Jan Gerrit

Jonathan,

Jan Gerrit Kootstra is of course correct regarding checking is /var/log/secure, but also perform a "grep" of the userid in /var/log/messages and /var/log/secure. You may also see activity in /var/log/audit/audit.log. I noticed such activity in these other files. NOTE: If you find /var/log/messages as zero-length (an empty file), then restart rsyslog service and retry the login and examine the logs. Centrify is a third-party product, and their documentation is at their website

Regards,
RJ

Thanks for the responses. I can see that logins are being logged to /var/log/secure. /etc/rsysconf.conf is configured to direct all AUTHPRIV messages to that file. My question is, is there a configuration setting that can enable or disable login logging? My company uses a product that scans configuration files looking for settings. For example, it looks in /etc/pam.d/system-auth to make sure the "nullok" token is absent. I'm trying to find out if there's a configuration file that can enable or disable login logging. I know /etc/rsyslog.conf specifies where those messages go, but I'm trying to find out if there's a setting anywhere that specifies whether log messages are generated at all. If possible, I need a configuration file and a setting that our scanner can examine to verify that the system is configured to log logins.

Update: I've been doing some digging, and I found something that says PAM is hard-coded to report authentication events to syslog. Can anyone confirm or deny this? If I can get official confirmation, then that will be enough to satisfy my compliance requirements.

Syslog is sort of like a bus, where logs are sent to. Whatever daemon you have interpereting those messages then filters and writes them to disk. Rsyslog is the daemon in use by default in RHEL7. So, what happens to the logs sent from PAM into syslog, is dependent on how you have rsyslog configured. Those config files in /etc/rsyslog.conf and /etc/rsyslog.d/ tell rsyslog where to send mesages to.

The best way to ensure logging is configured, and functioning, is to make sure the config in place for rsyslog isnt changing (via some manner of fille change monitor) and ensure that the rsyslog service is running via some hook into systemd, or direct process monitoring.

I already have rsyslog configured. I know where syslog messages are being sent. Is it possible to stop PAM from sending messages to syslog? If so, what configuration file would that option be found in?

If it's not possible to stop PAM from sending messages to syslog, then that's all I need and I can mark the discussion as resolved.

I do not believe so, and I cannot find any documentation that says you can't. It may be possible that by disabling certain pam modules, you can make logging stop, but I can't even say that for certain. Apart from filtering pam logs via rsyslog, I do not know of a way to completely disable pam's logging, but that is not to say that it cannot be done.

If you need a definite answer, you may consider opening a support case. One of our support engineers who works more deeply with PAM may be able to say for certain.

I just heard back from our compliance folks, and they said your answer is sufficient. Thank you for your help.